I'm new to logstash, i've set up the "sexilog" appliance ( it's a elk appliance mostly developped for vmware logs)
I'm trying to catch a extreme networks wifi controller logs.
Actually, all the log are received trough the same default input file from sexilog.
I would like to add a tag to the logs from the wifi controller. to filter only these logs. What's the best way to do it ?
Actually this is teh default input file
If that is your only input on 514 then you just choose the type field. If you have multiple inputs each input can have a type. What do you mean by source ip?
Just write a grok to match what you are going to get.
Not sure exactly what you mean, but the udp input will create a field with the IP address and (I think) source port of the connecting client. If the IP address is fixed and you want to add a human-readable field or tag you can use a conditional filter similar to this:
Okay, so you basically have a list of key/value pairs (on the form KEY[VALUE]). In most key/value cases one would use the kv filter, but that won't work in this case so we'll have to use grok. The following can be used to parse a single such key/value pair:
Do you have a clientip field in your messages? I only gave you an example of what a conditional could look like. You'll have to adapt it to the set of fields you have at your disposal.
Secondly, it's not clear what you mean by this:
mutate {
add_tag => ["ewc"]
type => ["ewc"]
}
Was the intention to set type equal to "ewc"? Or apply the add_tag option unless if type already was equal to "ewc"? Either way it won't work but if I know what you tried to do I can explain what you should do instead.
I d'ont have a client ip in the log but i have a host.
I change it to this :
if [host] == "10.9.8.xx" {
mutate {
add_tag => "ewc"
type => "ewc"
}}
I want to change the type, because the default type is esxi.
I just wan t to be able to differenciate the logs from ewc and the logs from esxi, to eassylly filter on the dashboard.
It's more clean if the ewc logs have the ewc type right ?
I'm just start to have a look on that, but i'm not really sure to hunderstand what to do with it
i just test it in the grok debugger, and looks to privde the right info.
What will be the correct syntax in the filter ?
something like this ?
grok {
match => [
"message", "EventType[(?[^]]+)]"
"message", "MAC[(?[^]]+)]
]}
i still have a question , in the log i have the Detail part
EventType[Roam] MAC[4C:8D:79:4B:XX:XX] AP[APNAME2-1] FromAP[APNAME2-1] BSSID[D8:84:66:3C:XX:XX] Details: Inside AC from AP/Radio[2] to AP/Radio[1] VNS[SSID]
How can i split that one : Details: Inside AC from AP/Radio[2] to AP/Radio[1]
i think i've set up all rule now, elso for the details, don't know if it's the right way to do it.
BSSID[(?[^]]+)] Details: Inside AC from AP/Radio[(?[^]]+)] to AP/Radio[(?[^]]+)] VNS[(?[^]]+)]
The last log i have is this one, i have no idea how to manage it :
events: Access Point AP Serial Number 15281595085E0000: 12/07/15 13:10:24: DCS Measured Noise -87dBm Dropped below Threshold of -80dBm on chann. 5200Mhz 3
By the way Magnus Bäck, thank you very much for your help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.